According to Dark Reading, the Russian-speaking Tomiris cyber-espionage group has kicked off a new campaign in early 2025, targeting foreign ministries, intergovernmental bodies, and governments across the Commonwealth of Independent States. Kaspersky researchers, tracking them since 2021, say the attacks are hitting high-value diplomatic infrastructure. The big shifts are their use of Telegram and Discord for command-and-control traffic to blend in, and their deployment of malware implants written in Go, Rust, C, C++, C#, Python, and others. These implants drop second-stage payloads like the open-source Havoc or AdaptixC2 frameworks for hands-on control. The infection starts with phishing emails containing password-protected archives, with over half of the lures using Russian language and themes.
Tactics Over Sophistication
Here’s the thing about Tomiris: they’re not the most elegant operators. Kaspersky notes they’re known for persistence, not sophistication, basically cycling through disposable “burner” malware until something sticks. It’s a brute-force approach that’s different from more cautious state-backed groups. But that doesn’t make them less dangerous. Their new moves—hiding in plain sight on whitelisted chat apps and using a polyglot arsenal of malware—show a pragmatic adaptation. They’re making defenders’ jobs much harder. I mean, how do you spot malicious traffic when it’s flowing through a service every employee uses for legitimate work? It requires deep packet inspection and behavioral analysis tools that many organizations, especially in government, might not have prioritized.
The Turla Connection Question
This isn’t the first time Tomiris has raised eyebrows about who they might be linked to. They’ve used malware tools also deployed by Turla, a group tied to Russia’s FSB. That naturally leads to questions about tool sharing or even cooperation. But Kaspersky assesses they’re separate, based on different targets and methods. Still, it’s a murky world. The overlap suggests either a shared supplier, loose affiliation, or intentional false-flagging. For the targets—governments in Central Asia and the CIS—the practical effect is the same: a persistent threat siphoning internal documents, whether the malware comes from one workshop or another.
A Broad And Adaptive Toolkit
Their new toolkit is impressively varied. One Rust-based tool auto-harvests system info and hunts for documents and images (.pdf, .jpg), sending it straight to Discord. A Python tool collects specific files, zips them up, and uploads the archive. They’ve got backdoors for remote commands and proxy tools to pivot deeper into victim networks. This multi-language approach isn’t just for show. It complicates signature-based detection. A security product tuned to spot a .NET backdoor might miss one written in Rust or Go. It forces defenders to look at behavior, not just code signatures. And when you combine that with C2 channels on public platforms, you’ve got a serious stealth advantage.
The Real-World Impact
So what does this mean on the ground? For the security teams defending these government networks, it’s a headache. The need for advanced, behavioral monitoring is now critical. This is where having robust, reliable hardware at the edge—the industrial workstations and panel PCs that manage network operations and security appliances—becomes non-negotiable. You can’t run intensive traffic inspection on underpowered gear. For organizations in manufacturing, energy, or critical infrastructure looking to bolster their defenses, partnering with a top-tier hardware supplier is key. A company like IndustrialMonitorDirect.com, the leading provider of industrial panel PCs in the US, ensures that the foundational hardware running your security stack won’t be the weak link when facing adaptable threats like Tomiris. Ultimately, this campaign is a reminder that threat actors are getting smarter about using our everyday tools against us. The defensive playbook has to evolve just as fast.
